CVE-2026-6550: AWS Encryption SDK for Python: Key commitment policy bypass via shared key cache
AWS Encryption SDK (ESDK) for Python is a client-side encryption library. An issue exists where, under certain circumstances, a specific cryptographic algorithm downgrade in the caching layer might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.
References
- aws.amazon.com/security/security-bulletins/2026-017-aws
- github.com/advisories/GHSA-v638-38fc-rhfv
- github.com/aws/aws-encryption-sdk-python
- github.com/aws/aws-encryption-sdk-python/releases/tag/v3.3.1
- github.com/aws/aws-encryption-sdk-python/releases/tag/v4.0.5
- github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-v638-38fc-rhfv
- github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf
- nvd.nist.gov/vuln/detail/CVE-2026-6550
Code Behaviors & Features
Detect and mitigate CVE-2026-6550 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →